I'm currently reading Cory Doctorow's novel Little Brother which includes a part about encrypted messaging, and even wrapping messages first in my private key and then your public key.

I'd like to play around with that but from what I've googled so far it seems to be a rather convoluted process, requiring installing several program components, and creating an encrypted message requires doing some manual file manipulation.

I'm surprised that I can't find something like a Firefox plugin that integrates encryption into Gmail. I've seen that there is a Thunderbird PGP plugin, but I don't use T-bird. I also saw a blog post that Google apparently toyed with PGP support in 2009, but nothing has appeared in the meantime.

Question:
To use encryption with Gmail, is there a simpler method than creating a file locally, then encrypting that file, and finally attaching it to a regular Gmail message?

I'm interested in the solutions to this as well. I've wanted to start using email encryption but it seems there is poor support for it at all outside of 3rd party clients, if at all. I was looking into it for use with Outlook 2010 and just didn't want to try as hard as it seemed was required to even make it function.
–
MelikothSep 27 '12 at 12:06

The technical hurdles aside --where will you keep your secret key and how does the browser access it for Google to use-- this, it seems to me, is outside of the their commercial interests. Google, Yahoo, Aol, and others scan your email for data used to develop targeted ads to you and those you send mail to and receive mail from. Large scale support of encrypted mail would make this moot unless the mail were scanned before sending. If that were the case, where's the privacy?
–
thisfellerSep 27 '12 at 12:18

2

@thiseller: interesting points! I see that crypto goes against commercial interests, that might explain why that Gmail PGP thing never arrived. And where to store the keys ... I don't even understand where to put them without Firefox so I can't answer that :)
–
Torben Gundtofte-BruunSep 27 '12 at 12:26

1

@thisfeller You could beat them by having a pseudo message, maybe created by Eliza or similar, and have the encrypted message as attachment.
–
ott--Oct 30 '12 at 20:41

6 Answers
6

Generally there are two approaches to achieve your goal. For this example I would tie with GPG as far as its open alternative to proprietary PGP, which I do not have license to use it. Basically you will need OpenPGP library as well as your public/private key pair.

Using Gmail in web browser

These are seamlessly integrated into browser, so in your Gmail session will be shown additional buttons on encrypted message - show original, decrypt and encrypt for new messages.

Personally I would stick with the second option using thick email client, since in the first option you have to import your private key directly to web browser extension, which is easier for potential attacker to steal. Generally speaking, what makes private key private is the fact it's stored on secret place and accessed ONLY when needed.
–
laikaOct 31 '12 at 15:14

3

You forgot option 3: ditch the thick email client and use a thin one (i.e., mutt.org).
–
g33kz0rJul 11 '13 at 21:41

For Apple Mail, this looks like a good solution: gpgtools.org
–
fordSep 13 '13 at 20:50

1

@ford OS X users who use the default client should be aware of this issue involving clear text drafts on Google servers.
–
chbJan 15 '14 at 6:53

Good answer: I make tests with Gmail+Thunderbird+Enigmail and it was very well integrated. Unfortunately the subject was not encrypted just the body. I do not know if there is options to encrypt the Subject part as well...
–
ruffpFeb 19 '14 at 20:05

Mailvelope is a new browser plugin that provides OpenPGP encryption for Gmail/Google Apps, Outlook, Yahoo!, and GMX. According to Lifehacker:

Mailvelope is in beta, and there's a full extension available for Chrome, and an early beta available for Firefox, but when we tested it both extensions worked well. Gmail/Google Apps, Outlook, Yahoo!, and GMX are all supported, and the app can be configured to support others. After installing the extension, you can generate your own public and private keys to use to encrypt messages in the extension's preferences. Once your keys are ready, the next time you compose a message, you'll see a lock in the compose window that you can click to encrypt your message. You can even use multiple keys for multiple recipients.

When you get an encrypted message, the process works in reverse. You'll see the encrypted message with a lock overlay over it, and you can click it to enter your key password. Mailvelope will search your saved keys to find the one needed, and decrypt the message for you.

This is a nice extension, but the javascript library it depends upon currently does not support signing.
–
chbJan 15 '14 at 6:55

@chb Not signing a message means you have plausible deniability. In the UK, the government can compel you to reveal your secret key. If you do, then if old messages are not signed, then they cannot prove that you sent them as anyone could have tampered with the message.
–
ContangoMar 30 '14 at 11:50

Well I do not see the problem about using an email client. Keep in mind you will always need to install a private key - so why not a client.

Personally I actually use S/MIME instead of gpg as this is wider supported (even supported on iOS devices - and I think also Blackberries) - and gives similar security.
Btw there is even a firefox plugin.

If you need gpg some editors (emacs, vim and probably many more) allow you to encrypt text. You could copy and paste that - or use a plugin.

The simplest method is to use an extension. Pandor is quite user friendly extension compliant with popluar webmail services such as Gmail, Outlook, Mail or Yahoo. It's available in Chrome Google Store in this link and for Firefox Add-Ons in this link.